diff --git a/patch/0049-runc-fix-CVE-2025-52881.patch b/patch/0049-runc-fix-CVE-2025-52881.patch new file mode 100644 index 0000000000000000000000000000000000000000..db7d0e86363c63323455afa32f5746e2225bbdd6 --- /dev/null +++ b/patch/0049-runc-fix-CVE-2025-52881.patch @@ -0,0 +1,47 @@ +From d61fd29d854b416feaaf128bf650325cd2182165 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Sat, 19 Jul 2025 16:30:26 +1000 +Subject: [PATCH] libct/system: use securejoin for /proc/$pid/stat + +Signed-off-by: Aleksa Sarai +--- + libcontainer/system/proc.go | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/libcontainer/system/proc.go b/libcontainer/system/proc.go +index 774443ec9d2..34850dd8317 100644 +--- a/libcontainer/system/proc.go ++++ b/libcontainer/system/proc.go +@@ -2,10 +2,12 @@ package system + + import ( + "fmt" ++ "io" + "os" +- "path/filepath" + "strconv" + "strings" ++ ++ "github.com/opencontainers/runc/internal/pathrs" + ) + + // State is the status of a process. +@@ -66,8 +68,16 @@ type Stat_t struct { + } + + // Stat returns a Stat_t instance for the specified process. +-func Stat(pid int) (stat Stat_t, err error) { +- bytes, err := os.ReadFile(filepath.Join("/proc", strconv.Itoa(pid), "stat")) ++func Stat(pid int) (Stat_t, error) { ++ var stat Stat_t ++ ++ statFile, err := pathrs.ProcPidOpen(pid, "stat", os.O_RDONLY) ++ if err != nil { ++ return stat, err ++ } ++ defer statFile.Close() ++ ++ bytes, err := io.ReadAll(statFile) + if err != nil { + return stat, err + } diff --git a/runc.spec b/runc.spec index faa40fcf808caf1ee41e499b24fa1d790d42797c..8d555ec132ad8935812c60b3038e6abd5547f2c6 100644 --- a/runc.spec +++ b/runc.spec @@ -3,7 +3,7 @@ Name: runc Version: 1.1.8 -Release: 26 +Release: 27 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification. License: ASL 2.0 @@ -56,6 +56,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc %{_bindir}/runc %changelog +* Mon Nov 10 2025 yujingbo - 1.1.8-27 +- Type:CVE +- CVE:CVE-2025-52881 +- SUG:NA +- DESC:fix CVE-2025-52881 + * Wed Mar 26 2025 dongyuzhen - 1.1.8-26 - Type:bugfix - CVE:NA